Upload
ferdinand-norman
View
220
Download
0
Embed Size (px)
Citation preview
Risk Management Company name
Prepared ByPrepared ByMahmoud elmadhoun Mahmoud elmadhoun Supervised BySupervised ByMs : eman elagrami Ms : eman elagrami
Agenda• The definition of Risk, and the sections• Countermeasures in the event of Risk • How to manage the Risk and probability
The definition of Risk and the sections• The Risk is there is probably a threat and therefore can be
exploited if used that threat might be called the Vulnerability
• Of this definition could be to separate the main sections of the Risk
Threat-: is the process of trying to access to confidential information of the Organization
Vulnerabilities: and that there are weaknesses in the organization can engage in which the attacker
Vulnerabilities• Composed of two types and two
Technical Vulnerability :whether weak immunization and use of this vulnerability before the attacker knows the attack, the attack of technical
Administrative Vulnerability :Attack is the so-called non-technical or social engineering attack
Vulnerabilities• And can be divided in terms of ease and difficulty of the two
High-level Vulnerability: an example is easy to use in writing software code to exploit that gap
Low-level Vulnerability: is the use of the most difficult and requires a lot of sources of financial sources or a long time the attacker
Example • Vulnerability of XSS (Cross Site Scripting)• HTML ,JavaScript ,VBscript,ActiveX,Flash ) • Amend the URL address for a given site
• <Script language="Javascript">alert('Welcome')</script> • http://www.example.com/search?keyword=<Script
language="Javascript">alert('Welcome')</script>
• <br><br>Please login with the form below before proceeding:<form action="destination.asp"><table><tr><td>Login:</td><td><input type=text length=20 name=login></td></tr><tr><td>Password:</td><td><input type=text length=20 name=password></td></tr></table><input type=submit value=LOGIN></form>
Vulnerabilities unsigned linux-2.4, signed/unsignedstatic inline u32* decode_fh(u32 *p, struct svc_fh *fhp)
{
unsigned int size;
fh_init(fhp, NFS3_FHSIZE);
size = ntohl(*p++);
if (size > NFS3_FHSIZE) return NULL;
memcpy(&fhp->fh_handle.fh_base, p, size);
fhp->fh_handle.fh_size = size; return p + XDR_QUADLEN(size);
}
• <include <rpcsvc/nfs_prot.h#كود• #include <rpc/rpc.h>• #include <rpc/xdr.h>• #include <netinet/in.h>• #include <sys/socket.h>• #include <sys/types.h>
• #define NFSPROG 100003• #define NFSVERS 3• #define NFSPROC_GETATTR 1
• static struct diropargs heh;
• bool_t xdr_heh(XDR *xdrs, diropargs *heh) • {• int32_t werd = -1; • return xdr_int32_t(xdrs, &werd);• }
• int main(void)• {• CLIENT * client;• struct timeval tv;
• client = clnt_create("marduk", NFSPROG, NFSVERS, "udp");
• if(client == NULL) {• perror("clnt_create\n");• }
• tv.tv_sec = 3;• tv.tv_usec = 0;• client->cl_auth = authunix_create_default();
• clnt_call(client, NFSPROC_GETATTR, (xdrproc_t) xdr_heh, (char *)&heh,• (xdrproc_t) xdr_void, NULL, tv);
• return 0;• }
Threat• There are three essential components of a threat
Target Agent Event
Target• Is the organization's information and the attacker can work on
each of the following Confidentiality: disclosure and that the confidential information
to others
Integrity: possibility of changing the organization's information Availability: and by denial of service via Dos Accountability: It is not punished for it by the attacker to
conceal the attack
Agents• There must be three features Access to the target: it may be a direct access to any account
has to enter the system and may be indirectly through an intermediary
Knowledge about the target Motivation
Events• Is in many ways be the most important and ill-authorized
access, and others authorized to information or the system either through the development of malicious codes (viruses or Trojan) of the Regulations
Countermeasures in the event of Risk •There is no doubt that the information varies from facility to
facility and information according to the institution by institution, the importance of information to take appropriate action may be to intervene before a danger, and called the Proactive Model and intervention may be after the occurrence of danger and called the Reactive Model
Countermeasures in the event of Risk• There are some examples of countermeasures to the threat or
attack Firewalls Anti-virus software Access Control Two-factor authentication systems Well-trained employees
How to manage the Risk and probability• Steps involved in risk management Risk Analysis Decision Management Implementation
How to manage the Risk and probability• Risk management, where intervention is divided into two
sections:
Reactive Model : It is a very famous type is the so-called emotional intervention For example, a security official in the company to download anti-virus program after the virus is spreading and destroying some devices can be calculated as follows
Protection cost = total cost of the risk + the cost of countermeasures
How to manage the Risk and probability
Proactive Model :Prior to the Risk of this type is much better in terms of cost
Protection cost = cost of the minimum risk + the cost of
countermeasures
How to manage the Risk and probability• Account the possibility of a threat: the beginning of the top of any tree to be in the form of The search for the roads leading to the occurrence of or
potential threat The collection of these methods to use (or ,And(
to calculate the potential, we start from the top down
How to manage the Risk and probability
How to manage the Risk and probability• Example
When the attacker tries to break the password Root
Either that the attacker tries to find the root of the word by guessing Guessing the root password
Or attack the network as a whole to try and there Bugs in the network
And at this point is to achieve two of Bugs
1-there are gaps that can be exploited (And, or) must verify the condition II with
2- that does not happen the system (b Trigram any potential path for this gap
How to manage the Risk and probability
How to manage the Risk and probability• P(guessing root password = A) = 5/1000 = 0.005• P(exploiting (( active server = B) = 50 /1000 = 0.05 (AND)• P (system is not updated or not configured properly =C) = 0.1
How to manage the Risk and probability• Assumptions made in the guess a password equal to the
exploitation of the gap and b, the latter if there is no system c
• P(attack service =BC) = P(B)*P(C) = 0.05 * 0.1 = 0.005 ( AND)• P(break-in = (total)(P(A)+P(BC)-P(A)P(BC) = 0.005+0.005 –
0.005 *0.005 = 0.009975 ( OR)
• (Total Probability ) break0in 0.009975 .
Reference • http://www.c4arab.com/showlesson.php?lesid=1756• http://www.c4arab.com/showlesson.php?lesid=175• Prentice.Hall.Cryptography.and.Network.Security.4t
h.Edition.Nov.2005